Citrix: NetScaler applet hangs at 99% “Logging in”

Written by Ingmar Verheij on November 27th, 2013. Posted in Netscaler

When a Citrix NetScaler is configured using a graphical interface a browser is used to connect to the Citrix NetScaler. Starting NetScaler release 10 a part of the configuration is migrated from Java Applets to HTML5, but most configuration are still depending on Java Applets.

When you open a more advanced configuration the Java Applet is loaded automatically., If it hangs at 1% “Downloading Applet…” you might want to read this article.If it hangs at 99% “Logging in” continue reading.

Logging in

After loading the Java Applet and trying to log in the following error is raised.

Login Failed - No Response from System. Please check your connection. (Connection timed out: connect)



In my case the Citrix NetScaler was placed in a different VLAN than my client was, the VLANs where separated by a firewall.

What is good to know is that for the normal GUI  communication is done via TCP port 80 for non-secure (HTTP) or TCP port 443 for secure (HTTPS). The Java Applet communicates uses different ports: TCP port 3008 for secure or TCP port 3010 for non-secure .


Source: Communication ports used by Citrix Technologies [PDF]


Port Query

To determine if your client could reach the port you can use Port Query GUI (provided by Microsoft – link). This standalone utility can verify if ports can be reached and tells you within seconds if this is the problem.

  • Specify the destination IP or FQDN of the NetScaler IP (NSIP)
  • Select query type Manually input query ports
    • Ports to query: 80,443,3008,3010
    • Protocol: TCP
  • Click on Query


The query should return LISTENING for port 80+3010 for non-secure communication or 443+3008 for secure communication.

Port Query

This example clearly shows that TCP port 3008 and 3010 are filtered by a firewall.




Ingmar Verheij

At the time Ingmar wrote this article he worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He was working with technologies like Microsoft RDS, user environment management and (performance) monitoring. Ingmar is User Group leader of the Dutch Citrix User Group (DuCUG). RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Tags: , ,

Trackback from your site.

Comments (4)

  • Ronan O'Brien
    29 November 2013 at 22:10 |

    Nice troubleshooting Ingmar! This has been the case for all previous versions of the config utility too… Not just 10.x.

    • Ingmar Verheij
      30 November 2013 at 19:04 |

      Hi Ronan, long time no see (august, stockholm)!
      Thanks for the additional information.

  • Marcel A' Campo
    9 December 2013 at 14:13 |

    Hello Ingmar, everything ok?

    I noticed that your article states that 3008 is for unsecure and 3010 for secure. I believe it is the other way around: &

    • Ingmar Verheij+
      10 December 2013 at 08:57 |

      Hi Marcel. Good! You? You’re right, I switched 3008 and 3010 in one place (luckely the image was good). Thanks for the feedback.

Leave a comment



%d bloggers like this: